Initial investigations traced the address to defense contractor SAIC, which provides a wide range of information technology and C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance, and Reconnaissance) support to the Department of Defense. The geolocation of the IP address corresponds to an SAIC facility in Arlington, Virginia.

Further analysis using a DNS record tool from Robotex found that the address was actually part of several blocks of IP addresses permanently assigned to the NSA. This immediately spooked the researchers.

"One researcher contacted us and said, 'Here's the Robotex info. Forget that you heard it from me,'" a member of Baneki who requested he not be identified told Ars.

The use of a hard-coded IP address traceable back to the NSA is either a strange and epic screw-up on the part of someone associated with the agency (possibly a contractor at SAIC) or an intentional calling card as some analyzing the attack have suggested.

From our forums

It's so simple! All I have to do is divine from what I know of the NSA: is it the sort of organization that would put kiddie porn onto its own IP block or its enemy's? Now, a clever organization would put the kiddie porn onto its own IP block, because it would know that only a great fool would download what he was given...